detect grouping: warn on and fix up bad sigs

Only inspect directionless SYN scan sigs toserver. Issue a warning for those rules.
10 years ago · 5772f526dc
parent 2ce03fbabb
commit 5772f526dc
3 changed files with 16 additions and 0 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -3008,6 +3008,20 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
        else
            BUG_ON(1);

+        /* see if we want to exclude directionless sigs that really care only for
+         * to_server syn scans/floods */
+        if ((direction == SIG_FLAG_TOCLIENT) &&
+             DetectFlagsSignatureNeedsSynPackets(s) &&
+             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
+            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
+        {
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: SYN-only to port(s) %u:%u "
+                    "w/o direction specified, disabling for toclient direction",
+                    s->id, s->dp->port, s->dp->port2);
+            goto next;
+        }
+
        while (p) {
            DetectPort *tmp = DetectPortCopySingle(de_ctx, p);
            BUG_ON(tmp == NULL);
--- a/src/util-error.c
+++ b/src/util-error.c
@ -316,6 +316,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_ERR_JSON_STATS_LOG_NEGATED);
        CASE_CODE (SC_ERR_DEPRECATED_CONF);
        CASE_CODE (SC_WARN_FASTER_CAPTURE_AVAILABLE);
+        CASE_CODE (SC_WARN_POOR_RULE);
    }

    return "UNKNOWN_ERROR";
--- a/src/util-error.h
+++ b/src/util-error.h
@ -306,6 +306,7 @@ typedef enum {
    SC_ERR_JSON_STATS_LOG_NEGATED, /** When totals and threads are both NO in yaml **/
    SC_ERR_DEPRECATED_CONF, /**< Deprecated configuration parameter. */
    SC_WARN_FASTER_CAPTURE_AVAILABLE,
+    SC_WARN_POOR_RULE,
 } SCError;

 const char *SCErrorToString(SCError);